Category: Cybercrime

“The Artificial Adversary” – a New Operating Model for Cybercrime

The Artificial Adversary - a New Operating Model for Cybercrime

“Artificial adversaries don’t have egos, suffer burnout, or deal with corporate drama. Your defenses do.” – Andres Andreu

In the spring of 2026, a handful of engineers with little security background ran an experiment. They pointed an Artificial Intelligence (AI) model at thousands of software codebases and asked it to identify issues. Over the course of one night it did more than find decades-old flaws hiding in plain sight. It created working exploits for them. The model was Claude Mythos Preview. In fact, its creator judged it so capable at weaponizing vulnerabilities that it chose not to release the model at that time.

For most of our field’s history, the adversary was human. Clever and motivated but bounded by sleep, attention, money, and skill. Now, however, that adversary is being augmented, and sometimes replaced. The replacement does not tire or hesitate. Moreover, it ignores the operational rhythms our defenses quietly assume. I call it “The Artificial Adversary.” Essentially, it takes one of two forms:

  • A human operator empowered by an AI stack.
  • An autonomous AI system acting toward malicious ends.

At this stage these have stopped being thought experiments and are now turning up in incident reports.

An Inflection Point, Not a Trend Line

Three things are happening at once. Together, they mark an inflection point rather than an incremental shift:

  • AI has lowered the barrier for entry to sophisticated crime.
  • Synthetic media is collapsing our ability to trust digital signals. A familiar face or a known voice, after all, no longer proves what it once did.
  • The volume and speed of AI-enabled activity now outpaces the manual, static defenses built for a slower era.

The numbers are no longer speculative

SoSafe’s 2025 research found that roughly 87% of organizations worldwide faced an AI-powered cyberattack in the prior year. Direct attacks aside, model evaluations are just as concerning. For instance, the UK’s AI Security Institute (AISI) tested Claude Mythos Preview. It solved expert-level CTF challenges about 73% of the time. Notably, no model could complete those challenges at all before April 2025. Mythos went further still. In fact, it became the first model to solve the AISI’s 32-step simulated network takeover, from reconnaissance to full compromise. Anthropic’s red team reported even broader findings. Working alongside the AISI, it watched the model surface thousands of zero-day flaws. These included a dormant 27-year-old vulnerability in OpenBSD and a 16-year-old bug in FFmpeg. In Firefox alone, Mythos found 271 vulnerabilities and wrote exploits for 181 of them.

A signal, not the threat itself

Anthropic withheld Mythos from public release. Instead, it granted limited access to a small set of organizations that build and maintain critical software and infrastructure. The program is called Project Glasswing. Launch partners reportedly include Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Officially, the intent was to give defenders a head start. Yet Mythos isn’t the only game in town. For example, things such as OpenAI’s GPT-5.4-Cyber, OWASP CVE Lite CLI, and Google’s Big Sleep already show great promise and in some cases comparable capability. When competition rises the cost of entry keeps falling. Regulators noticed quickly. Within weeks, the Bank of England intensified its AI risk testing, and German banks consulted regulators and cyber experts. The lesson, therefore, is the one Bain and others drew immediately. In short, assume your adversaries are building equivalent capabilities, nation-states, criminal enterprises, and rogue actors alike. Mythos is a signal, not the threat itself.

Defining the Artificial Adversary

It helps to name the archetype precisely, because precision changes how we defend. So picture an AI-enhanced human actor. Here, the human sets the strategic objectives. The machine, in turn, executes the great majority of the tactical workload. The consequence is direct. As a result, offensive cycles compress, and defenders can no longer assume a human-speed response on the other side of the keyboard.

Human adversaries operate within cognitive, temporal, and logistical limits. An autonomous AI-based adversary does not. Needing no sleep, it carries no emotional baggage and runs continuously across global digital environments. Moreover, it can analyze vast data stores and reason probabilistically in real time. Such a system can also coordinate through decentralized, agentic architectures that resist any single point of shutdown. Its capacity for deception, mimicry, and adaptation, therefore, creates a new category of risk. Consequently, detection, attribution, and deterrence all become far harder. The asymmetry, however, is not only technological. It is also cognitive. In the end, defenders must prepare for opponents that do not tire, hesitate, or follow any rules.

The Artificial Adversary Taxonomy

A practical taxonomy has five levels.

  • AI-assisted human operator – a human attacker uses AI for discrete tasks such as phishing, translation, research, script generation, or stolen-data summarization.
  • AI-augmented threat crew – a criminal or nation-state team embeds AI into reconnaissance, exploit research, identity profiling, malware development, infrastructure staging, data exfiltration, and victim communications.
  • AI-orchestrated campaign – agentic systems coordinate personas, assign tasks, monitor responses, tune timing, and manage parallel workflows while humans supervise outcomes.
  • Semi-autonomous adversarial agent – the system conducts meaningful parts of the intrusion chain itself, including asset discovery, service testing, response analysis, and attack path modification.
  • Autonomous malicious AI system – an AI system pursues malicious objectives with limited or delayed human direction, raising harder questions around attribution, containment, predictability, and control.

This taxonomy matters because an AI-assisted phishing actor requires different defenses than an autonomous agent probing applications, manipulating identities, and adapting to telemetry in real time.

Facilitation – Lowering the Barrier

The first way AI empowers adversaries is the least glamorous and the most pervasive. Simply put, it removes friction. For a few years now, the underground has marketed “Dark LLMs.” The roster includes WormGPT, FraudGPT, KawaiiGPT, and imitators such as MalwareGPT, SpamGPT, and Xanthorox. Each promises jailbreaks, malware help, and ready-made scam playbooks. Some are functional. Many, however, are simply scams that prey on aspiring criminals. Either way, the real significance is not any single tool. Rather, it is the normalization of the idea. A capable, on-demand junior developer is now available to anyone with a few GPUs, a wallet of API keys, and some patience.

Malware that writes itself

Proof-of-concept work made the threat concrete. Researchers, for instance, demonstrated BlackMamba, a keylogger that built its malicious code at runtime by calling a Large Language Model (LLM). That approach neatly sidesteps the static signatures defenders rely on. By late 2025, the threat had moved from the lab to the wild. Google’s threat intelligence team documented two malware families: PROMPTFLUX and PROMPTSTEAL. Both query LLMs during execution. One rewrites itself, while the other generates fresh commands mid-attack. This is “Just-In-Time” (JIT) malicious code. In other words, the software does not carry its full payload. Instead, it assembles the payload on demand, from a model that does not know it is being conscripted.

When the face on the call is fake

Facilitation also reaches the human layer through synthetic media. Convincing face and voice clones, for example, can now be mass-produced. So can cross-lingual conversion and studio-quality content. Better yet for the attacker, agent teams run these operations around the clock, iterating on failures without fatigue. As a result, the multi-party deepfake video call is no longer hypothetical. Picture a finance employee walked through an “urgent” wire transfer by a “CFO” and “general counsel” who are both synthetic. Clearly, the attack surface is no longer just endpoints and identities. It now also includes the emotional tone around those identities. And does so across collaboration tools, social media, and internal communications.

Vibe Hacking – Psychological Warfare at Machine Speed

This last point deserves its own name. After all, it is where AI-enabled social engineering becomes something new. Vibe hacking is social engineering supercharged with a full AI stack. Here, the adversary does not send a single phishing email or place one deepfake call. Instead, models shape the emotional context around a target over time. The goal, therefore, is not to trick a victim once. Rather, it is to tune the “vibe” of their human state along with their digital environment, so that risky actions feel natural, familiar, and self-initiated.

Sensing, profiling, persistence

A campaign begins with sensing and profiling. To start, adversaries point AI at everything they can scrape. These sources include OSINT, LinkedIn activity, public Slack and Discord communities, conference talks, support tickets, and marketing emails. Sentiment analysis is important here and models infer mood, personality, stress levels, decision style, and trust anchors. That attackable profile, in turn, feeds a working model of the target’s context. Things like a looming quarter, a key project, the likely sources of anxiety or excitement all become real and exploitable. Generative models subsequently produce content tuned to the target’s state. The real weaponization, however, comes from scale and persistence. One artificial adversary can run dozens of long conversations at once. Each hides behind a distinct persona, the sympathetic colleague, the urgent executive, the overworked vendor. Meanwhile, it A/B tests tone, timing, and channel to learn what lowers resistance and/or skepticism. By the time the critical ask arrives, therefore, the victim feels they are accommodating a relationship, not responding to an attack.

This is the reframing that matters:

Vibe hacking isn’t better phishing. It’s your own people, profiled and played at machine scale – we hardened the edges and left the nervous system exposed.

Andres Andreu

From theory to a real victim list

None of this is a forecast. In August 2025, in fact, Anthropic’s Threat Intelligence team disclosed a case it tracked as GTG-2002. A single actor used an agentic coding tool to run a data-extortion operation. In total, the targets numbered at least 17 organizations, spanning healthcare, emergency services, government, and religious institutions. A defense contractor was among the victims, too. Remarkably, the whole campaign ran in roughly a month. To pull it off, the attacker embedded an operational playbook in a configuration file, so the AI could make tactical decisions during live intrusions. From there, the model automated reconnaissance and credential harvesting. It even generated ransom notes tailored to each victim, with demands reported between roughly $75,000 and more than $500,000. Ultimately, one person, with an AI operator alongside, did the work of a coordinated crew.

Scale – From Assistant to Operator

Facilitation lowers the barrier to entry; scale changes the magnitude. For example, the same agentic models that help an enterprise automate work can be organized into adversarial swarms. A planner agent sets the goals. Meanwhile, sub-agents run in parallel performing actions such as OSINT scraping, phishing and deepfake generation, code generation, and dropper construction. Because they share memory and data from feedback loops, the whole system improves with each iteration.

The criminal supply chain, in turn, has matured around this model. Telegram, for instance, serves as a resilient “dark social layer”, encrypted, anti-censorship, easy to churn and burn, and slow to take down. There, automated bots stream stolen credit card data and run validation checks at a pace no human team could sustain. Increasingly, the same architecture is aimed at availability, too. Agentic orchestrators break a Layer-7 denial-of-service goal into reconnaissance, traffic generation, and adaptive evasion, while coordinated worker nodes handle individual parts of the overall campaign.

The first autonomous espionage campaign

A defining incident arrived in November 2025. Anthropic reported disrupting a campaign it attributed, with high confidence, to a Chinese state-sponsored group tracked as GTG-1002. Notably, it was the first publicly documented, largely autonomous AI-orchestrated cyber-espionage campaign. It was detected in mid-September. In all, the operation targeted roughly thirty high-value organizations across technology, finance, chemical manufacturing, and government.

To pursue their objectives, the attackers manipulated an agentic coding tool into acting as a fleet of autonomous penetration-testing orchestrators and agents. First, they jailbroke its safeguards by role-playing a defensive security firm. Then they broke malicious objectives into benign-looking subtasks. From that point, the AI handled reconnaissance, vulnerability discovery, exploitation, credential harvesting, lateral movement, and exfiltration. In total, that came to an estimated 80 to 90% of tactical operations, issued at thousands of requests per second. Human operators, by contrast, stepped in only at a few strategic chokepoints. This wasn’t as clean as a Hollywood movie scene as the model’s hallucinations sometimes invented credentials or overstated findings. Those errors were among the few things keeping the operation from full autonomy.

A Real Incident, End to End – The NPD Sextortion Wave

To see these capabilities combine into one industrialized pipeline, consider the extortion spam that followed the National Public Data (NPD) breach. The underlying breach was staggering. Systems were first compromised in December 2023. By April 2024, the data had surfaced on the dark web. The company, however, acknowledged the incident only in August 2024. All told, it affected up to 170 million people and exposed as many as three billion records. The follow-on campaign was instructive less for its novelty than for its assembly. Specifically, attackers used GPT-based code generation to operationalize the stolen data end to end. The result was personalized extortion content. Each message addressed the victim by name, referenced a real home address, and embedded street-view imagery of the respective house. Then it demanded payment in Bitcoin, usually between $1,900 and $2,000, for the sake of tranquility or peace of mind.

None of the individual techniques were sophisticated. The sophistication, instead, lay in the orchestration. Consider the parts, a breach corpus, a code-generating model, a templating layer that fused public records with mapping imagery, and a delivery pipeline. Stitched together, these produced a campaign with a scale and personalization no manual operation could match. That, in essence, is the pattern security leaders should internalize. The artificial adversary rarely wins with one brilliant exploit. Instead, it wins by removing friction from every step, and running the whole chain faster than defenders can detect and respond.

Turning the Tables – Disrupting Malicious Automation

The very properties that make AI dangerous on offense also make it invaluable on defense. Better still, they open a counter-strategy that purely human teams never had. If attackers automate, then defenders can engineer the environment to exploit that automation. In practice, deception engineering and adversarial intelligence combine well.

The single goal is to convert the attacker’s automation into your early-warning system. Synthetic credentials, decoy services, and AI-generated traffic, for instance, all look irresistible to an autonomous agent. As such, they become tripwires. Because the agent probes tirelessly and indiscriminately, it hits the decoys long before a careful human would. Consequently, it can surface a campaign while it is still in an early stage.

Red teaming with autonomous agents

AI-augmented red teaming has a strong place here. In a 2024 experiment reported by WIRED, for example, a journalist let autonomous AI agents from the startup RunSybil attack a custom web app. The agents collaborated in real time. Specifically, they used SQL injection, brute-force authentication, form-field manipulation, and path traversal. Most importantly, they iterated on their failures. Without human direction, they re-planned and adjusted strategies, surfacing logic flaws that traditional scanners had missed. The agents were not malicious; their behavior, however, was. It was adversarial, coordinated, and effective. The takeaway, then, is fairly straightforward. First, adopt autonomous red-teaming agents to pressure-test your defenses against continuous, iterative, logic-driven attacks. Then pair them with high-fidelity telemetry and behavioral anomaly detection. Together, they can flag AI-like probing even when individual requests looks benign.

Governing the Machine and the People Around It

Speed without governance introduces its own risk. As defenders deploy autonomous and semi-autonomous capabilities, they take on an obligation. Those capabilities must be fast where they must be, careful where they should be, and always controllable by competent humans. Fortunately, a workable program can borrow from frameworks now maturing across the industry. For a foundation, anchor on NIST’s AI Risk Management Framework or ISO/IEC 42001. To turn principles into adversarial test cases, layer in MITRE ATLAS and the OWASP Top 10 for LLM applications. To harden the model lifecycle, draw on ISO/IEC 23894 and Google’s Secure AI Framework. Finally, add a staged maturity model to move from reactive to adaptive.

High-impact automated actions, meanwhile, need extra care. By default, mass credential revocation, large-scale connection throttling or tarpitting, and account lockouts should sit behind human-in-the-loop gates. In addition, back them with immutable audit logs, explainability proportional to impact, and fast paths to appeal and rollback.

Two cautions

Two cautions deserve emphasis.

First, treat AI models and their supply chains as critical software assets. In practice, that means validating provenance, verifying integrity, and monitoring runtime behavior. After all, data and model poisoning are now first-class threat vectors.

Second, resist the urge to fight fire with fire across legal lines. Attacker AIs, remember, routinely route through innocent third parties. As a result, heavy-handed countermeasures invite escalation and cross-border legal exposure, among them hack-back, automated counter-intrusion, and poisoning someone else’s ecosystem. Privacy by design, data minimization, auditability, and human oversight should not be compliance theater. On the contrary, they should be focused on what keeps a fast defense lawful and trusted.

What Security Leaders Must Do Now

The artificial adversary does not need to be sentient to change the game. Instead, it only needs to make capable attackers faster, more iterative, and less dependent on rare human skill. Accordingly, defenders should architect for that reality:

  • Treat AI as both adversary and ally – regularly run hybrid threat scenarios, machine-augmented attackers against machine-augmented defenders, so that you find your blind spots first.
  • Shift from signatures to behavior – static, content-based controls cannot anticipate self-modifying code or agentic chaining. Instead, invest in behavioral analytics, high-fidelity logging, and context-aware security that reads relationships, not keywords.
  • Stand up real AI governance – name a single accountable owner and convene a cross-functional oversight board. Then keep a model and agent registry, and define rules of engagement and rollback paths before you enable automation.
  • Secure the model supply chain – audit data lineage and model integrity, and assume third-party datasets, weights, and components can be poisoned upstream.
  • Deploy deception as early warning – use AI honeypots and synthetic assets to turn the adversary’s tireless automation into your early detection advantage.
  • Compress your defensive cycle – above all, adopt AI-augmented red teaming and threat hunting so that you out-learn the adversary. Then measure what matters – detection accuracy, false-positive and false-negative rates, model drift, autonomy and override rates, and time to contain.

The Pivotal Question

The pivotal question about any adversary has changed. No longer is it simply who they are or what they want. Instead, it is “what can they assemble and operationalize with AI faster than we can detect and respond?” Once, the human attacker was the central concern. Now, by contrast, security leaders face intelligent, scalable opponents that run as close to machine speed as the hardware allows. Confronting them takes more than static controls and periodic red teaming. Rather, it takes continuous learning, dynamic simulation, and AI-augmented defense. Above all, it takes one hard admission, the next major breach may not be human at all.

Awareness is the beginning; action defines resilience. The Artificial Adversary is here. The only question is whether we will be ready when it decides to strike.

Industrialized Identity – The New Factory Model for Fraud

Industrialized Identity - The New Factory Model for Fraud

Industrialized Identity – adversaries now run identity like a factory. Most organizations still talk about identity breaches like they talk about storms: unfortunate, occasional, and mostly out of their control. But attackers don’t forecast storms, they manufacture them.

The adversary does not see it that way. Instead, they treat identity as raw material. They harvest it, refine it, enrich it, and operationalize it, over and over, until they can monetize it by running fraud, impersonation, and Account Takeover (ATO) campaigns like a production line.

This dynamic doesn’t just change adversarial TTPs per say. And this cascades as it changes the adversary’s economics. It also changes defender timelines. And it changes what “good” looks like for a CISO who needs to protect revenue, customers, and business operations.

In the 2026 Identity Breach Report from Constella Intelligence we see the signal clearly – identity exposure now moves at machine speed and scale, with industrial processes behind it, not opportunistic one-offs.

Identity risk didn’t just get “worse.” It got productized.

And once it’s productized, attackers don’t need to break in to create impact. They can often log in, have data changed/reset, or impersonate. Traction becomes real when they assemble “attackable profiles”. In practice, that means they can:

  • pass help desk or account recovery checks
  • bypass “knowledge-based” verification
  • look legitimate across channels
  • scale automation without spiking obvious alarms

For these attackable profiles to become real, adversaries have built an identity supply chain:

Ingest → Clean → Correlate → Enrich → Package → Operationalize

Quarterly controls and reactive incident response will not stand up to this type of pattern. Worse off this can become industrialized at scale. Defense models need to runs at that same tempo.

The Identity Density Gap – the story behind +135% record growth vs. +11% unique identifiers

Let’s quantify the shift. Here’s a 2025 statistic that should force a mindset change: breach record volume grew by 135% while unique identifiers only grew 11%.

That says something simple and brutal: adversaries don’t need more identity data. So the problem isn’t more identities. It’s more context per identity (more data per person). This is the Identity Density Gap.

Put differently, density is leverage:

  • A thin identity (email + password) supports commodity credential stuffing.
  • A dense identity (email + phone + address + DOB + linked accounts + recovery hints + active session objects) supports high-confidence impersonation and repeatable fraud.

Density gives attackers options. Options create resilience. Resilience creates pathways that can also be leveraged at scale.

The outdated way that so many security teams pursued was to fixed authentication. Yet they constantly lost to ATO and fraud. The adversary no longer cares about the login prompt, they are seeing the surface across the entire identity lifecycle:

  • onboarding and enrollment
  • authentication
  • session handling and token reuse
  • account recovery and help desk flows
  • high-risk transactions and workflow approvals

Defending only one link in that chain is a mere inconvenience now, attackers route around fragmented strategies. And they do it fast.

Industrialized data correlation – how attackers turn billions of attributes into attackable profiles

Attackers don’t win because they possess data. Attackers win because they correlate data. When an operation runs at the scale of 400 billion+ attributes, correlation stops being a research activity and becomes a manufacturing step. Couple this with the vast amount of OSINT in existence and a picture starts to form.

Here’s how the factory works:

First – Normalization

Adversaries normalize raw material – they standardize fields, clean formatting, remove duplicates, and fix missing pieces. They don’t need perfection. They need enough consistency to automate.

Next – Linking

Data gets linked across disparate datasets – the adversary matches email addresses to phone numbers. Phone numbers to addresses. Addresses to dates of birth, and so on. One dataset fills the gaps in another.

Then – Scoring

Adversaries score attackable profiles to measure ROI. They don’t ask, “Can I compromise this account?” They ask, “Can I monetize this identity fast?”

They prioritize identities that connect to:

  • financial access
  • enterprise privileges
  • payroll and HR workflows
  • customer support recovery paths
  • vendor payment processes

Finally – Packaging

Profiles get packaged for operations. This is where identity becomes attackable. The profile supports repeatable playbooks: ATO, recovery bypass, SIM swap targeting, impersonation, and payment diversion.

That’s why identity risk now behaves like a business function for adversaries. They build a pipeline. That pipeline gets refined. Then it gets scaled.

And then exposure events feed that pipeline.

The Top Exposure Events – why mega breaches punch above their weight

When massive exposure events hit, many leaders respond with the familiar: “We’ll monitor. We’ll see if we’re affected.”

That script fails at machine speed. Large exposure events don’t just increase volume, they increase operational certainty for attackers:

  • consistent record structure
  • high overlap of data points with prior leaks
  • fast enrichment potential
  • easy automation with AI powered technologies

There are many examples of large data breaches. At this point they need to be treated as more than just headlines. Treat them as inventory injections, the raw materials needed for the modern day identity supply chain.

Once that inventory enters circulation, attackers don’t “use it once.” They:

  • monetize it
  • repackage it
  • enrich it with other datasets
  • resell it
  • and operationalize it in waves

That’s why identity exposure rarely behaves like a single incident. It behaves like a persistent condition.

And that’s why “wait for confirmed compromise” becomes the wrong approach.

Machine-speed defense – stop chasing events, interdict the pipeline

If attackers run identity like a factory, defenders must reciprocate. Defenders need to treat identity like a control plane.

This isn’t about perfect security as there is no such thing. Defenders do however need faster cycles:

  • faster detection-to-decision
  • faster decision-to-enforcement
  • tighter governance around automation
  • metrics that prove reduced operational risk

Here are some practical steps to improve an ecosystem:

Convert exposure into action

Alerts don’t help if they don’t trigger changes in systems and/or behavior. If it doesn’t change enforcement, it’s just telemetry. Build an identity exposure-to-action playbook that answers:

  • Which identities matter most? (executives, finance, privileged admins, support)
  • Which workflows create the largest blast radius? (recovery, vendor payments, payroll, customer support)
  • What control do we trigger first? (session resets, account recovery restrictions, throughput throttling)

Next, attack their economics.

Render stolen credentials less valuable

Kill the advantages that adversaries love by:

  • deploying phish-resistant MFA, especially for privileged roles
  • binding sessions to devices where possible
  • tightening token lifetimes and reuse policies

Then, close the side doors.

Harden the bypass routes

Adversaries don’t always brute force their way in. They tke less resistant paths, such as socially engineering account resets via a help desk. Treat recovery like a privileged operation by:

  • restricting recovery pathways for users, especially privileged ones
  • requiring stronger proof for recovery than just login creds
  • adding friction (synchronous checks via phone call, etc) to high-impact changes (bank info, payout routing, email changes)
  • training support teams on identity manipulation patterns and escalation guardrails

Finally, scale your response.

Automate enforcement

Automation wins at machine speed when done right, but beware as it can also break business operations. Start slow with low-risk actions and require human approval for high-impact actions (account lockouts, financial workflow freezes, privileged access resets).

And if you want to win long-term, measure what matters.

Measure the right outcomes

Generally speaking, if something gets measured, it can be improved. Consider the following so as to improve a security posture:

  • time-to-detect exposure (requires analysis to unearth original exposure)
  • time-to-enforce controls
  • % of privileged users on phish-resistant MFA
  • reduction in successful recovery abuse
  • reduction in ATO attempts that reach “valid session” state

Some of these metrics are not trivial and require analysis. But they translate cleanly to business outcomes: less fraud, fewer outages, fewer customer escalations.

The bottom line

Identity risk didn’t just automagically grow. It got industrialized.

Interestingly, attackers now build identity products. They run correlation pipelines. They operationalize exposure at machine speed. And they scale fraud the way mature businesses scale customer acquisition: with automation, testing, and iteration.

Here’s the modern posture. Instead of relying on outdated perimeter strategies, consider:

  • treating exposure as a leading indicator
  • hardening the identity lifecycle, not just the login
  • interdicting the pipeline wherever possible

Defending identity in the industrial era requires a new mindset.

AI Powered Cybercrime – How AI Supercharged a Sextortion Wave

AI Powered Cybercrime - How AI Supercharged a Sextortion Wave

Part 3 of AI Powered Cybercrime

Sextortion isn’t new. Velocity has increased, personalization has sharpened, and attackers can now run campaigns at industrial scale. This wave is a collision event between the first two posts in this series: facilitation (credible intimidation) and scale (high-volume delivery). AI Powered Cybercrime – How AI Supercharged a Sextortion Wave.

Many security programs have an important blind spot: they treat coercion as a personal problem. In reality, coercion quickly becomes an enterprise problem when it pressures employees into silence, errors, or unsafe, unethical, illegal behavior.

What happened (high level)

Following the large-scale exposure of personal data from a data broker, threat actors began sending extortion emails that included real names, real email addresses, and real home addresses. The goal was not technical proof; it was psychological terrorism. When a recipient of these types of emails and/or files sees real personal details, the scam feels “more real,” even if the core claim is false.

Some variants escalated intimidation by including a photo of the victim’s home sourced from publicly available mapping imagery. That addition is a masterclass in facilitation: it takes something the attacker can generate cheaply and turns it into a credibility anchor that increases stress and compresses decision time.

Why it works: plausibility beats truth under pressure

Most victims don’t evaluate these messages like analysts. They evaluate them like humans under threat, with emotion. The campaign design is built around that reality: shock, shame, urgency, and a narrow window to “fix” the situation. The scam doesn’t need to be technically accurate to be operationally effective; it only needs to feel plausible long enough to trigger payment.

This is the same vibe hacking dynamic we see in enterprise fraud: urgency is used as a control bypass. When the attacker can manufacture plausibility quickly, policy and verification become the only reliable defenses.

Where AI fits (without fluff)

AI does not need to run the entire scheme to increase harm. It only needs to improve the leverage points. First, it enables endless text variation while maintaining a consistent tone and similar messaging. Second, it makes personalization easy by merging templates with leaked data and also seamlessly integrating with Open Source Intelligence (OSINT) sources. Third, it reduces the human effort required to run a campaign, which increases throughput.

The result isn’t “smarter extortion.” It’s cheaper extortion at higher volume paired with sharper intimidation artifacts. That combination is what makes waves like this so disruptive.

Why CISOs should care: coercion becomes a business threat

Even when a victim is targeted “personally,” the downstream effects can land inside a CISOs organization. An employee under threat may avoid reporting, reuse credentials poorly, or comply with nefarious demands. Panic and stress can lead to unsafe behaviors, and this noise can weave its way into an organization distracting security teams from secondary attacks that aim to exploit some of that chaos.

If a resilience program covers ransomware but not coercion-driven fraud and extortion, there could be an operational gap. Sextortion waves are a reminder that the adversary’s true target is often decision-making under pressure.

What organizations should do during a wave

The objective in a wave is speed, clarity, and support. Issue a same-day bulletin that states what is happening, what employees should do, and how to report. Keep it stigma-free. The most important message is this: employees can report safely, and they won’t get in trouble.

Next, harden the identity bridge. Ensure MFA is enforced for email and sensitive applications, watch for anomalous sign-ins, and monitor for new device enrollments. Then improve detection quality by treating this as a campaign: pattern match across inboxes and route messaging to a single owner to reduce confusion and duplicate work.

The resilience lesson

Waves like this are not just security events; they’re leadership events. The organizations that respond well reduce harm by moving fast, communicating clearly, and providing support. They also learn: which workflows were stress-tested, where employees hesitated, and what verification gates were missing.

If you treat coercion as out-of-scope, you will eventually treat it as an incident, under pressure. Build the playbook now.

Key takeaways

  • Normalize coercion reporting; activate employee assistance programs immediately to protect people and organizational reputation.
  • Instrument wave messaging detection to tune signals and reduce both data fatigue and operational distraction.
  • Harden identity ecosystems fast; enforce MFA immediately to prevent panic-driven account takeover actions.
  • Operationalize extortion playbooks and drill them regularly to reduce chaos and decision latency.

AI Powered Cybercrime – Scale: From One-off attacks to broad campaigns

AI Powered Cybercrime - Scale: From One-off attacks to broad campaigns

Part 2 of AI Powered Cybercrime

Once AI facilitates and reduces the skill barrier, the next step is predictable: industrialization. Scale is not simply “more X.” It’s more volume, experiments, parallel campaigns, faster iteration, and lower cost per attempt. Attackers can tolerate failure because machines keeps trying, and keeps learning. AI Powered Cybercrime – Scale.

In practice, scale changes how you risk is experienced. The question stops being “can this attack be blocked?” and becomes “can we withstand continuous throughput without fatigue, mistakes, or control bypass?” If the attacker runs campaigns like a high-volume system, defenders must design controls that behave like high-volume systems too.

Scale is attack throughput based on more attempts, more variation, and faster learning loops than human teams can match.

How scale happens

Cybercrime at scale is a stack: commodity infrastructure to deliver, automation to orchestrate, and AI to generate convincing content and decision support. That stack allows adversaries to operate like entire sophisticated teams, testing, measuring response rates, iterating on what works, and abandoning what doesn’t.

This matters because “good enough” at massive volume beats “excellent” at low volume. Even if your controls catch 99.9% of attempts, at enough throughput the remaining 0.1% becomes a real business problem.

Agentic workflows: campaigns become orchestrated systems

The most important mental model for scale is orchestration. Instead of one attacker manually working a process, you face workflows that plan tasks, execute in parallel, and adapt based on outcomes. Target research, lure writing, follow-ups, and handoffs can be partially automated, even when a human remains in the loop for high-value steps.

For defenders, this means control gaps are discovered faster, exploited more accurately, and reused more reliably. If your organization has exception-heavy processes (e.g., ad hoc approvals, inconsistent vendor change procedures, unclear escalation paths) those become discoverable cracks that an attacker’s system can exploit repeatedly.

Dark social distribution: coordination at platform speed

Distribution and coordination channels accelerate scale by enabling rapid churn: new templates, new lists, new scripts, and fast feedback loops from peers. The operational consequence is that takedowns and blocks often trail behind the adaptation cycle. If you rely solely on external enforcement or on the hope that a campaign will “fade out,” you will lose the timing battle.

This is why brand and executive impersonation monitoring matters. When attackers can quickly align a pretext with what’s visible about your leadership, partners, or vendors, they can now manufacture credibility in hours.

DDoS and distraction: availability pressure as a cover layer

At scale, disruption is often a tactic, not an outcome. Availability pressure can consume attention, create noise, and induce rushed decisions that enable secondary goals (e.g., fraud, credential abuse, or data theft). The attacker doesn’t need to “win” the DDoS battle; they need to win the operational tempo battle.

The resilience countermeasure is degraded-mode planning. If you pre-stage how the business continues when systems are strained (e.g., what gets paused, what gets routed differently, who approves exceptions) you reduce the attacker’s ability to force mistakes through urgency.

A/B testing on humans: volume plus variation

A subtle but powerful aspect of scale is experimentation. Attackers don’t need a perfect lure. They need a pipeline that generates variants, tests them across segments, measures responses, and doubles down on what works. AI makes this cheap: the cost of a new variant approaches zero.

This turns awareness training into an operational control problem. You’re no longer defending against one “phishing style.” You’re defending against a continuously mutating persuasion engine. The stable defense is workflow integrity, consistent rules for high-risk actions, enforced regardless of how convincing the request appears.

What to do: control throughput with identity and workflow gates

To survive scale, design defenses like you’re protecting a high-traffic API. The objective is not perfect prevention; it’s making irreversible actions rare, gated, and verifiable. Start with the workflows that move money, grant access, or export sensitive data.

Phishing-resistant MFA and risk-based session controls reduce account takeover success. Dual control and out-of-band verification reduce fraud success. Campaign-level detection reduces fatigue by catching patterns across many inboxes or users rather than treating each event as a one-off.

Board-level framing

Scale bends the loss curve upward even if individual success rates decline. Boards should ask a small set of questions that map directly to business continuity: Which workflows are irreversible? Which are gated? How fast can we verify? How quickly can we contain identity-driven compromise?

If you can answer those questions with metrics (e.g., time-to-verify, exception rates, time-to-contain) you can translate a complex threat into operational readiness and financial risk reduction.

Key takeaways

  • Assume nonstop attack throughput to model monthly, reduce fraud and downtime exposure.
  • Harden approval workflows; the goal is to enforce dual control always while preventing irreversible payment loss.
  • Automate identity containment by tuning regularly to cut attacker dwell time and blast radius.
  • Instrument dark social risk; that goal is to monitor weekly to reduce brand-driven compromise and extortion.
  • Govern exceptions tightly by reviewing regularly to prevent blind-spot failures and audit fallout.

Part 3 of AI Powered Cybercrime

AI Powered Cybercrime – Facilitation: How AI lowers the skill barrier for attackers

AI Powered Cybercrime - Facilitation: How AI lowers the skill barrier for attackers

Part 1 of AI Powered Cybercrime

Cybercrime has historically had a skills bottleneck. Someone had to do the research, craft a believable story, write the lure, build the tooling, and then keep the victim engaged long enough for an outcome. Even for seasoned operators, that work takes time, and time is money. AI Powered Cybercrime – Facilitation.

Generative AI has changed the economics of that effort. It acts like a quality assistant that can draft, rephrase, personalize, and refine at machine speed. The net effect is not simply “smarter attackers.” It’s more adversaries that historically could not operate in this space. It is also a set of adversaries that can now perform at a higher baseline, scale larger, with fewer mistakes and more believable artifacts.

In this series, I use “facilitation” to describe the first-order impact of AI on cybercrime: removing friction across the attack lifecycle so that an individual attack becomes easier to execute, easier to adapt, and more likely to succeed.

Facilitation is where AI makes individual attacks better by lowering the skill barrier and improving content and/or persuasion quality.

The Facilitation Lens

A useful way to think about AI-enabled crime is as a pipeline. Attackers rarely win because they have one magic tool; they win because they can move smoothly from one stage to the next, recon, pretext, access, execution, and monetization. AI can assist at every stage, and it doesn’t need to be perfect. It only needs to be good enough to keep the process flowing through its journey.

For defenders, this creates a trap: many programs still focus on blocking discrete artifacts (one phishing email, one payload hash, one suspicious domain). Facilitation shifts advantage to the attacker because artifacts can be generated rapidly and with great volume; but the human processes and identity controls on the defensive side often remain static.

AI-powered malware: from coding to assembling outcomes

“AI malware” may inspire unrealistic notions of a fully autonomous super-virus. The more realistic, and more dangerous, reality is simpler: AI compresses development and iteration cycles. Instead of writing everything from scratch, adversaries can draft components, refactor quickly, generate variants, and troubleshoot faster. That matters because it reduces the time between idea and execution. It also empowers people that would not be operating in cybercrime without AI capabilities.

For defenders, the implication is that static signatures and one-off IOCs degrade faster. The same intent can show up as many slightly different implementations, and the “shape” of attacks changes just enough to evade brittle detection logic.

What can be done about this? Shift emphasis toward behavior and context. Instead of some static defense model we need to become more adaptable. If some payload dynamically changes, attackers will likely still need access to credentials, session tokens, the creation of persistence, or the exfiltration of data. Those are the slivers of opportunity where defenders have a chance of stable detection and containment. Given todays dynamic, the best place to shrink an attacker’s options is identity: the stronger and more tightly governed the identity boundary, the fewer places malicious tooling can successfully land.

Deepfakes: visual presence is no longer identity

Deepfakes move social engineering from “message deception” to “presence deception.” It’s one thing to spoof a sender name; it’s another to appear on a call as someone your team recognizes. That’s why deepfake-enabled fraud is so consequential: it attacks the human verification shortcuts we’ve relied on for decades, voice, face, and confidence.

The operational lesson is straightforward: “I saw them on video” is no longer a control. Nor is it a point of trust. A convincing presence can be manufactured, and group dynamics can be exploited to create social proof. The only reliable protection is to place high-risk actions behind verification steps that synthetic media cannot satisfy, out-of-band callbacks to known numbers, dual control for sensitive payments, and defined escalation rituals when urgency appears.

Social engineering: AI adds memory, consistency, and coordination

The biggest upgrade AI brings to social engineering is not grammar, it’s continuity. AI can maintain context over time, keep a persona consistent across messages and disparate systems, and pivot smoothly when a target makes adjustments. That capability turns many “one-and-done” lures into persistent conversations that wear down defenses.

This is why awareness training that focuses on typos and awkward phrasing is losing relevance. The tell is increasingly a process violation: a new payment path, a new channel, a sudden bypass of normal approvals, or an exception request that tries to compress decision time. If your employees know how to spot workflow bypass, they can defeat even polished, highly personalized lures.

Vibe hacking: weaponizing emotion to bypass analysis

Vibe hacking is the weaponization of emotion as a control bypass. Attackers don’t need you to believe every detail; they need you to act before you verify. Shame, urgency, fear, status, and belonging are some of the levers that move decisions faster than policy comes into play.

The countermeasure is not “tell people to be calm.” The countermeasure is building organizational escape hatches: clear permission to slow down, explicit escalation paths, and operational friction for irreversible actions. If urgency is treated as a trigger for verification, not a reason to move faster, we can turn the attacker’s primary advantage into a liability.

Short term reset

If you want one practical takeaway from facilitation, it’s this: identity and workflow integrity are choke points. AI can generate unlimited persuasion and/or manipulation artifacts, but we have to force it to cross an authorization boundary somewhere.

Start by identifying the three most irreversible workflows in your organization, for example pick from a pool like this one: payments, vendor banking changes, payroll updates, privileged access grants, or large data exports. Then ensure those workflows have step-up verification that cannot be satisfied by sense of urgency, polished messaging, or synthetic media. Finally, run a short blind red-team exercise on a deepfake or coercion scenario and measure how long it takes the organization to verify and contain. Blind = this must mimic reality.

Key takeaways

  • Assume high-quality lures and retrain owners monthly to reduce fraud loss and downtime.
  • Gate privileged actions and enforce out-of-band checks always; the goal is to prevent unauthorized transactions.
  • Detect behavior shifts and tune telemetry regularly to cut dwell time and response costs.
  • Standardize escalation and drill managers quarterly; the goal is to reduce coercion-driven errors.
  • Institutionalize dissent and review exceptions monthly to avoid governance blind spots and audit fallout.

Part 2 of AI Powered Cybercrime

Adversarial Intelligence: How AI Powers the Next Wave of Cybercrime

Adversarial Intelligence: How AI Powers the Next Wave of Cybercrime

AI Summit New York City – December 11, 2025

On December 11, 2025, I spoke at the AI Summit in New York City on a topic that is becoming unavoidable for every security leader: AI is not just improving cyber attacks, it is transforming cybercrime into an intelligence discipline. Adversarial Intelligence: How AI Powers the Next Wave of Cybercrime.

The premise of the talk was simple: adversaries are no longer running isolated campaigns with a clear beginning and end. They are building living, learning models of target organizations (e.g., your people, workflows, identity fabric, operational rhythms) and then using generative-class models and autonomous agents to probe, personalize, adapt, and persist.

The core shift: AI gives attackers decision advantage

In an AI-accelerated threat environment, the attacker’s edge often comes down to decision advantage. They see you earlier, target you more precisely, and adapt in real time when controls block them. In a pre-AI world, that level of precision required time and rare talent. Now it is becoming repeatable, automated, scalable, and accessible to people with no real skill.

Where AI shows up in the modern attack lifecycle

When people think about “AI in cybercrime”, they often jump straight to malware generation. That is not wrong, but it is incomplete. In practice, AI technologies are being applied across the attack lifecycle.

Reconnaissance becomes continuous

Autonomous agents can enumerate exposed assets, map third-party relationships, and monitor public signals that reveal how teams operate. Recon becomes less like a phase and more like a background process, always learning and always refreshing the target model.

Social engineering becomes high-context

Generative models do not just write better phishing emails. They enable sentiment analysis, tone and context matching, multi-step pretexting, and persuasion that mirrors internal language and business cadence. The outcome is fewer “obvious” lures and more synthetic conversations that simply feel real.

Identity attacks scale faster than traditional controls

Identity is the front door to modern enterprises (e.g., SaaS, SSO, MFA workflows, help desk interactions, API keys). AI-powered adversaries can probe identity systems at scale, adapt-ably test variants, and blend into normal traffic patterns, especially when enforcement is inconsistent.

“Proof” gets cheaper: impersonation goes operational

Deepfakes and impersonation have moved from novelty to operational enablement. They can be used for vibe hacking (e.g., pressure targets, accelerate trust, push high-risk decisions), especially in finance, vendor-payment, and administrative workflows.

The defensive answer is not “more AI“. It is better strategy.

A common trap is thinking, “attackers are using AI, so we need AI too”. Yes some AI is necessary, but alone it is not enough. Winning here requires adversary-informed security: security designed to shape attacker behavior, increase attacker cost, and force outcomes.

Three tactics that disrupt malicious automation

Deception Engineering: make the attacker waste time … on purpose

Deception is no longer just honeypots and honeytokens. Done well, it is environment design: believable paths that look like privilege or data access, instrumented to capture telemetry and shaped to slow, misdirect, and segment adversary activity. The goal is not only detection. It is decision disruption, raising uncertainty and forcing changes within the adversary’s ecosystem.

Adversarial Counterintelligence: treat your enterprise as contested information space

Assume adversaries are collecting, correlating, and modeling your ecosystem, then design against that reality. Practical counterintelligence includes reducing open-source signal leakage, hardening executive and finance workflows against impersonation, and introducing verification into high-risk decisions without paralyzing the business.

AI honeypots and canary systems: fight automation with instrumented ambiguity

AI-enabled adversaries love clean feedback loops. So do not give them any. Modern deception systems can present plausible but fake assets (APIs, credentials, source code repositories, data stores), generate dynamic content, and create unique fingerprints per interaction so automation becomes a liability.

What this means for CISOs: measure money, not security activity

If you are briefing a board, do not frame this as anything like “AI is scary”. Frame it as: AI changes loss-event frequency, loss magnitude, and time-to-detection/time-to-containment. These can directly impact revenue, downtime, regulatory exposure, and brand trust. If attackers can industrialize reconnaissance and/or persuasion, then defenders must industrialize identity visibility, verification controls, detection-to-decision workflows, and deception at scale.

Key takeaways

  • Assume continuous and automated recon.
  • Harden verification workflows against synthetic content; train executive and administrative teams regularly.
  • Deploy deception at scale; raise attacker cost to reduce downtime.
  • Operationalize counterintelligence; aim to avoid blind spots to reduce exposure.
  • Quantify decision advantage to accelerate funding decisions and defend revenue/margins.

Closing thought

AI is accelerating the adversary, no question. It has also lowered the entry barrier to cybercrime. But it is also giving defenders a chance to re-architect advantage: to move from passive defense to active disruption, from generic controls to adversary-shaped environments, and from security activity to measurable business outcomes.

The real message behind adversarial intelligence is this: the winners will not be the organizations that merely “adopt AI”. They will be the organizations that use it to deny attackers decision advantage, and can in turn prove it with metrics the business understands and values.